Distinguishing and Combating DDoS Attacks

Cyber Attacker, Brian Krebs, wrote an article criticizing criminals who use DDoS (or Distributed Denial of Service) for extortion. They flood your servers with traffic. This makes them inaccessible to your intended audience. After a few hours of attack you receive a message explaining how you can pay to make it stop.

Soon after his article appeared, a 620 Gigabit-per-second flood of traffic took down his site.

As he explains, this DDoS attack set a new record. Akamai was protecting him. The largest attack they had ever seen, and successfully defended against, was 363 Gbps. This one was close to twice that size.DDoS

So far the really large-scale DDoS attacks have been what we call amplification attacks. They abuse large numbers of poorly configured DNS and NTP servers to misdirect floods of traffic toward the targets. (We explain how those work in Learning Tree’s System and Network Security Introduction course and in the CompTIA Security+ test-prep course.)

This attack worked differently. The traffic was coming directly from the members of an enormous botnet. But this one was really different. Instead of the botnet being infected Windows computers, this was mostly made up of subverted devices. Network-attached cameras, digital video recorders, and other devices exposed to the Internet but configured with well-known default passwords. We still talk about the “Internet of Things” (or IoT) in the future tense. However, it has already been used for the biggest attack ever.

This trend will just continue. The source code for the attack had been circulating on the “dark net” but it is now easy to find. The same botnet was used in the 21 October 2016 DDoS attack that took out DNS service for Twitter, Reddit, Github, Netflix, the New York Times, and many other popular web sites.

The Krebs attack didn’t hold the title of “World’s Largest” for long. A French Internet service provider was hit a few days later with a 1 Tbps (that is, 1,000 Gbps!) DDoS flood from a botnet of IoT devices.

But Why Did This Happen?

Krebs had written an article in which he criticized some cyber criminals who were doing extortion through DDoS attacks.

You might write an article saying “The homicide rate in Honduras is almost 85 per 100,000 people per year, the highest in the world. Those murderers are bad people!”

You wouldn’t worry too much about writing such a thing (unless you actually live there). Even if you were to visit, you wouldn’t wear a T-shirt saying “I’m the author of that article criticizing the local murderers.”

In the physical world we have a great deal of physical isolation, and anonymity on top of that.

In cyberspace, no place is more than about 200 milliseconds away. We have no isolation. And as for anonymity…

Cyberspace Provides An Easier Target

In another very recent example, Newsweek magazine published a report criticizing a U.S. Presidential candidate. They were immediately targeted by a DDoS attack based out of Russia that appears to be retaliation for the article.

If you didn’t want people seeing a Newsweek article a few years ago, you would have to either interrupt multiple magazine printing facilities or shut down all the news stands. Neither is really practical.

Today, all you have to do is shut down newsweek.com.

It’s Not Just Retaliation

So-called ransomware encrypts data and demands payment for the software to and key to decrypt and recover the information. CryptoLocker has been the prominent example of these.

Ransomware attacks encrypt all the data they can find. So it hits one user on one desktop workstation, but then it reaches into the corporate file servers and encrypts all the files that user has access to.

As I mentioned last week, every worker must protect their account in order to protect the organization.

Maybe The DDoS Attack Is Just To Distract Us From The Real One

Neustar has reported that some DDoS attacks seem to be launched just to divert response teams away from the real targets. They found that about a third of the DDoS victims studied later discovered that malware had been activated while the DDoS flood was providing a very noisy distraction.

The Lesson?

Cyber attacks are no longer the work of idle teenagers. Major criminal organizations and national governments are behind the big ones today. They can afford the expertise needed to make these attacks quite complex, difficult to prevent, clean up, and even notice when they’ve happened.

If a DDoS attack quickly goes away, that’s great. But check to see if any subtle attacks came in at the same time!

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.